Grafana Labs Says GitHub hit by cyberattack
Incident
Summary
Hide ▲
Show ▼
A Grafana Labs incident was later tied to the Mini Shai-Hulud supply-chain campaign against TanStack npm packages. Grafana said an unauthorized party used a token to access its GitHub environment and download its codebase, and the company later learned the attacker also took some internal operational information and other details from its repositories. Grafana said it first spotted the activity on May 11 and disclosed the incident on May 17; it also said there is no indication customer production systems or the Grafana Cloud platform were compromised.
Related Happenings
GitHub data exposed after GitHub breach
Data Leak
First: 20.05.2026 11:14
Last: 20.05.2026 11:14
Sources 1
About this happening:
GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub data exposed after GitHub breach
Data LeakAbout this happening: GitHub confirmed **exfiltration** of **internal repositories**, making private code and related content potentially available to outsiders. Attackers on the **Breached cybercrime...
GitHub internal repositories private-code leak claim
Data Leak
First: 20.05.2026 08:08
Last: 20.05.2026 08:08
Sources 1
About this happening:
GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...
GitHub internal repositories private-code leak claim
Data LeakAbout this happening: GitHub is facing a claimed leak of **internal repositories** after **TeamPCP** said it had access to about **4,000 private-code repos** and tried to sell samples. The alleged expo...
Latest development: 21.05.2026 17:45
A malicious version of Nx Console 18.95.0 was uploaded to Visual Studio Marketplace and Open VSX on May 18, fetched an obfuscated payload, and harvested secrets from ~/.vault-token, /etc/vault/token, .npmrc, ghp_/gho_/ghs_ tokens, AWS metadata, and other local sources; GitHub said the poisoned VS Code extension led to unauthorized access to about 3800 internal repositories.
GitHub hit by network compromise
Incident
First: 20.05.2026 07:01
Last: 20.05.2026 07:01
Sources 1
About this happening:
GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
GitHub hit by network compromise
IncidentAbout this happening: GitHub is investigating unauthorized access to its internal repositories after a third party allegedly offered stolen material for sale on a cybercrime forum. The intrusion was li...
Latest development: 20.05.2026 13:45
GitHub detected unauthorized access tied to a poisoned Visual Studio Code (VS Code) extension on an employee device, removed the malicious extension version, isolated the endpoint, and began incident response to contain exposure across internal repositories.
Grafana Labs source code leak and extortion demand
Data Leak
First: 19.05.2026 12:15
Last: 19.05.2026 12:15
Sources 1
How related:
an “unauthorized party” managed to obtain a token, giving them access to the firm’s GitHub environment and enabling them to download its source code.
About this happening:
The **Grafana Labs** codebase was **downloaded from its GitHub environment**, creating a risk that proprietary source code could be **released or misused**. The company said **no...
Grafana Labs source code leak and extortion demand
Data LeakHow related: an “unauthorized party” managed to obtain a token, giving them access to the firm’s GitHub environment and enabling them to download its source code.
About this happening: The **Grafana Labs** codebase was **downloaded from its GitHub environment**, creating a risk that proprietary source code could be **released or misused**. The company said **no...
CoinbaseCartel escalates extortion activity with more than 100 victims
Threat Actor Meta
First: 18.05.2026 16:46
Last: 18.05.2026 16:46
Sources 1
How related:
The CoinbaseCartel launched last September and has been quite active this year, announcing more than 100 victims on its data leak portal.
About this happening:
**CoinbaseCartel** has expanded its extortion operation, publicly listing **more than 100 victims** on a **data leak portal**. The growth signals a more scalable criminal ecosyste...
CoinbaseCartel escalates extortion activity with more than 100 victims
Threat Actor MetaHow related: The CoinbaseCartel launched last September and has been quite active this year, announcing more than 100 victims on its data leak portal.
About this happening: **CoinbaseCartel** has expanded its extortion operation, publicly listing **more than 100 victims** on a **data leak portal**. The growth signals a more scalable criminal ecosyste...
Timeline
-
17.05.2026 10:13 3 articles · 10d ago
Grafana discloses GitHub token access, codebase download, and extortion attempt
Initial DisclosureGrafana disclosed that an unauthorized party obtained a token that enabled access to the company's GitHub environment and download of its codebase. Grafana said no customer data or personal information was accessed and no customer systems or operations were affected, while the attacker attempted blackmail and extortion, demanded payment to stop publication of the stolen database, and Grafana declined to pay; the company also said it launched a forensic analysis, identified the source of the leak, invalidated the compromised credentials, and implemented extra security measures.
Show sources
- Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt — thehackernews.com — 17.05.2026 10:13
- Grafana says stolen GitHub token let hackers steal codebase — www.bleepingcomputer.com — 18.05.2026 16:46
- Grafana Labs Says Code Breach Stemmed from TanStack Attack — www.infosecurity-magazine.com — 21.05.2026 11:00